note: You can click on the title below the picture for a full size screenshot
Step 1
Ping and Speedtest
I was unable to run a speedtest as both reported back unable to connect.
I was able to run a a speedtest on my current connection.
Step 2
Based on this log data it appears that one period contained a DDOS attack. From 02-23 14:30 through 02-23 22:30 This is shown by the reduction in upload speed to the server in the speedtest logs.
I do see the servers recovered after this period.
Step 3
Step 4
Based on this chart we can see that the attack seemed to occur at 8:00am Feb 21st and ended at 2pm Feb 21st. These appear to be failed logins using the credentials “Administrator” and “Administrator Administrator” the number of events per 1 hour time period did not exceed 23 bad attempts an hour, but during the attack, it ranged from 34 to 124 an hour. Based on this data I would suggest a baseline alert of 25 bad logins an hour. This would show an attack and not create false positives. On the other hand at the risk of more false positives, a baseline of 20 and under would only cause 1 false positive in the data viewed. This choice would be up to the senior staff as both are valid alert points.
